This document describes how to report security vulnerabilities in the ChatUI Project.

Please help us keep ChatUI secure by reporting suspected vulnerabilities responsibly and privately.

Please do not report security vulnerabilities through public GitHub issues, pull requests, discussions, or comments.

Instead, please report vulnerabilities privately through GitHub private vulnerability reporting for this repository. If you are reviewing a self-hosted deployment, use the monitored security contact published by that deployment operator.

Self-hosted operators should publish a dedicated security email or intake form before any public beta, and route it to an on-call owner who can triage container escape, data exposure, and denial-of-service reports quickly.

Please include as much detail as possible, including:

• A clear description of the vulnerability
• Steps to reproduce the issue
• The affected version, commit, or environment
• Any proof-of-concept code, screenshots, logs, or technical details
• The potential impact, if known

We will acknowledge your report as soon as possible and investigate it promptly. If the vulnerability is confirmed, we will work on a fix and coordinate disclosure responsibly.

We ask that you:

• Do not publicly disclose the vulnerability before we have had reasonable time to investigate and fix it
• Do not exploit the vulnerability beyond what is necessary to verify it
• Do not access, modify, delete, or exfiltrate data that does not belong to you
• Do not disrupt the availability or integrity of the project or related services

We appreciate good-faith security research and will make reasonable efforts to work with researchers who follow this policy.

Public vulnerability reports can put users at risk.

Malicious actors frequently scan public repositories, issues, pull requests, commit messages, and discussions for security weaknesses. Once a vulnerability becomes public, it may be exploited before users have had a chance to update.

This risk has increased with the rise of automated and AI-assisted vulnerability discovery and exploitation. For this reason, security reports should be sent through private channels first.

When fixing security vulnerabilities, we aim to avoid exposing sensitive details in public GitHub activity before a fix is safely available.

Where possible, we will avoid public issue titles, pull request descriptions, commit messages, or changelog entries that reveal exploitable security details before users have had time to update.

Security-related changes may be described more generally until disclosure is appropriate.

We appreciate your help in making the ChatUI Project more secure for everyone.

Thank you for supporting responsible disclosure.